“Good governance drives good behaviour,” said Girling, noting that the standards of Basel II have now become the de facto standard.

Operational risk is “about anything that can go wrong” that’s not market or credit risk. “People make mistakes, systems fail, policies fail” plus there is weather risk and general business continuity at stake.

Move to a risk-aware culture, she advised. The building blocks of a risk-aware culture are training, awareness, accountability, and engagement. A risk-aware culture is necessary “otherwise you are just ticking a box. … Engagement is really what you are looking for,” she said. “The more time you spend on culture and awareness, the easier your task.”

When a risk and its control are discovered, “you must write everything down,” Girling said, referring to policies and procedures.

“The first line of defense is the business, the second is the central team, and the third line is audit,” she noted. The first line of defence must identify, assess, monitor, and mitigate the risks associated with a firm’s activities. More memorably, she summarized this as “find it—watch it—size it—kill it.”

Internal loss data is one way to understand the risks the organization but “it is the most painful , because it’s a record of all the times we mess up.” However, it is very helpful in creating a remediation plan, and it is “fundamental” to the capital model.

External loss data also feeds the capital model. “We need to know why, where, and how for losses,” said Girling. “Look in the rear-view mirror to see where things went wrong.”

The risk control self-assessment (RCSA) is about what could go wrong right now, but scenario analysis is about what could happen. “Catastrophic losses occur more frequently than expected, therefore scenario analysis is necessary.”

“It’s a good tool to get people thinking outside the box,” Girling said. The scenario analysis is used in the capital model and in risk management.

Girling distinguished between passing the use test and “really” passing the use test. The latter occurs “when they call you.” For example, “do they call you when exploring a new product? To brainstorm strategy?”

“When that happens, then you know you are part of a living, breathing risk culture.” ª